In this challenge, we can see that there’s no code for us to exploit, it’s something in the system.
I log in to the system, and look in the /home/flag03 folder, as all the other challenges have started. I see there’s a writable.sh script, which I was guessing was the script getting called on a crontab every couple minutes.

So this script looks like it will execute anything in the writable.d folder that we put in there. And after some tinkering, I can see that it’s running it as the flag03 user that we want to escalate to.

My first thoughts were to create a bash script like previous challenges, and have it get created with SUID permissions. However this didn’t work, because apparently bash ignores the SUID bit, for security reasons. I then read up on using perl, but couldn’t get it to work, due to perl’s built in protection. Lastly, I settled on just good old C/C++. I spent forever messing around with this, because I was always setting the uid, but never the euid. When I forgot that, it would run bash, but I’d be the same user. I created this source file, and saved it to /tmp/level03.c

This will create a bash script to get picked up by the cron job. It first compiles the /tmp/level03.c code file and outputs the binary to /home/flag03/level03. Afterwards it sets the permissions to allow executing (and more technically) as well as SUID. After this command, I had to wait a couple minutes for it to get picked up by the cron job, but then I ran it, and got access to flag03.

level03@nebula:/home/flag03$ ./level03
flag03@nebula:/home/flag03$ getflag
You have successfully executed getflag on a target account